security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1040/T1040.yaml
T
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
2019-09-03 07:34:42 -06:00

75 lines
2.1 KiB
YAML
Raw Blame History

---
attack_technique: T1040
display_name: Network Sniffing
atomic_tests:
- name: Packet Capture Linux
description: |
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
supported_platforms:
- linux
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
default: ens33
executor:
name: bash
elevation_required: true
command: |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
- name: Packet Capture MacOS
description: |
Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
supported_platforms:
- macos
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
default: en0A
executor:
name: bash
elevation_required: true
command: |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
- name: Packet Capture Windows Command Prompt
description: |
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
installed, along with WinPCAP. Windump will require the windump executable.
supported_platforms:
- windows
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
default: Ethernet0
executor:
name: command_prompt
elevation_required: true
command: |
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
- name: Packet Capture PowerShell
description: |
Perform a packet capture using PowerShell with windump or tshark. This will require a host that has Wireshark/Tshark
installed, along with WinPCAP. Windump will require the windump executable.
supported_platforms:
- windows
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
default: Ethernet0
executor:
name: powershell
elevation_required: true
command: |
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
Reference in New Issue View Git Blame Copy Permalink